SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
New Zealand
Overworked apac cybersecurity analyst night soc moody blue monitors
#
Digital Transformation
#
Advanced Persistent Threat Protection
#
SOCs

Alert overload leaves mid-market security teams exposed

Fri, 20th Mar 2026
Author image
By Shannon Williams, News Editor

UpGuard has published research suggesting mid-market security teams spend 43% of their incident response time gathering context manually rather than fixing threats, as high alert volumes and fragmented tools slow investigations.

The study, the 2026 Context Gap Report, looks at the gap between detection and the information analysts need to confirm what an alert means and who should act. The findings are based on a survey of 400 information security leaders across North America, APAC and India.

A headline finding is that many organisations learn about problems from outside sources before internal controls flag them. UpGuard reported that 79% of organisations were notified of a threat by a third party-such as a researcher, a customer, or an attacker-before their own detection identified the issue.

The pattern points to missed detections and slow validation: alerts arrive, but teams struggle to confirm whether they represent a real incident. The same conditions can also slow containment and remediation once vulnerabilities are known.

Alert overload

The research describes a "triage trap" driven by large volumes of low-quality alerts. The median security team spends 20 minutes dismissing a single "junk alert", increasing the cost of routine monitoring and reducing time for investigation and remediation.

In the most extreme cases, the report suggests manual triage becomes a structural capacity issue rather than a process problem. UpGuard found that 25% of organisations require 214 hours per week for manual triage-equivalent to 5.3 full-time employees.

Mid-market organisations typically have smaller security teams and tighter budgets than large enterprises, while facing similar exposure to commodity cybercrime and automated scanning. That makes investigation efficiency critical, particularly when multiple systems generate alerts.

Tool sprawl

The report also links missed threats to the number of disconnected tools in use. Organisations using more than five separate security tools were twice as likely to miss critical threats as those using an integrated toolset, according to UpGuard.

Disjointed tooling adds work during investigations, as analysts pivot across consoles, reconcile conflicting signals, and assemble timelines from different data sources. Even when telemetry exists, delays follow if staff must chase asset ownership, validate exposure, and decide whether an alert is a real incident.

UpGuard framed this as a context problem rather than a response problem, arguing teams are not necessarily slow to patch or contain threats once they have a clear view of what is happening and who owns the issue.

Greg Pollock, UpGuard's Director of Research, said the main drag on response is the effort spent understanding an alert rather than taking action.

"Security teams aren't slow at fixing threats - they're buried in the work of understanding them," Pollock said. "When 43% of a security team's investigation time is consumed by manual context gathering, the downstream cost is measurable: in 79% of companies, it took a customer, a researcher, or law enforcement to find what their own tools missed. This is a wake-up call. Detection without context is just noise with a timestamp."

AI pressure

The report also points to changes in attacker behaviour, with UpGuard stating that AI is increasing the volume and speed of cyberattacks and adding pressure on security operations. Higher alert rates can amplify existing weaknesses in process and staffing, especially when analysts spend significant time determining whether alerts are credible.

UpGuard positioned automation as a way to cut the time spent assembling investigative information across assets, suppliers and users. It said teams that consolidate tooling and use unified attack-surface visibility can reduce "time-to-context" from hours to seconds.

The research also describes a "virtuous cycle" in which automated context gathering shifts analyst effort toward decision-making and prioritisation. The stated outcome is fewer remediation delays and fewer incidents, as triage becomes less dependent on manual correlation.

UpGuard develops cyber risk and risk management software, focusing on cyber risk posture management across vendors, attack surface and workforce. Founded in 2012, the company is headquartered in Hobart, Tasmania, with a US headquarters in Mountain View, California.

Pollock is scheduled to discuss cyber defence return on investment at RSAC 2026 in a session titled "From Crisis to Confidence: Cyber Defence ROI When Every Dollar Counts."

Related stories
CIQ launches Linux compliance platform ahead of deadlines
Emerson & OPSWAT strike global reseller deal for OT patching
IWF & Cyacomb launch workplace abuse material scans
Cork Cyber adds automated mapping to Vantage platform
How Atomgate uses education and partnership to drive successful SonicWall upgrades

Top stories

Team Cymru launches Total Insights Feeds for threat data
FIRST conference highlights AI & CVE disclosure push
Protegrity launches AI Team Edition for secure inferencing
OpenAI launches Trusted Access for Cyber with major names
Anthropic launches Claude Opus 4.7 with stronger coding